constantinople 3.0.2 arbitrary code execution vulnerability

burkeholland / express-react-starter

A starter template for running React and Express from the same project

202 stars 83 forks source link

constantinople 3.0.2 arbitrary code execution vulnerability #12

Open tekowalsky opened 1 year ago

tekowalsky commented 1 year ago

jade "~1.11.0" in /server/package.json is dependent on constantinople 3.0.2 jade was last update 8 years ago.
Replaced by pug

constantinople 3.0.2 has a sandbox bypass vulnerability leading to arbitrary code execution. The earliest fixed version of constantinople is 3.1.1

https://osv.dev/vulnerability/GHSA-4vmm-mhcq-4x9j

tekowalsky commented 1 year ago

jade also creates a dependency on critically vulnerable version 2.2.5 of uglify-js via transformers 2.1.0

sudityashrivastav commented 7 months ago

It means 200+ projects are vulnerable to rce